Request for feedback - Suricata: An Operator's Guide

Hey folks,

This year, I’ll be working on creating a digital book that is a collection of Suricata best practices. I want to serve as a kind bridge between how Suricata works, how to reduce noise/fase positives/alert fatigue, how suricata rules work, and how to write your own rules. So far, This is a list of chapters/subjects I’ve identified that I definitely want to cover:

NIDS and IDS Evasion history, its influence on design for both Snort and Suricata

Setting up a rule writing/perf testing environment with Dalton

Understanding the importance of sensor placement

Anatomy of a Suricata 5+ rule

What makes a rule good

Understanding rule performance metrics

How to reduce false positives/alert fatigue

Scenarios/exercises involving malware, pcaps and rule writing (a la malware traffic analysis exercises) 

So I don’t know if any of you are familiar with a prior work of mine Building Virtual Machine Labs: A Hands-On Guide, but while I was writing it, I would add new chapters and just share the revisions publicly. After it was all done, I posted it to leanpub and set the minimum price on it to free. I want to do the same thing with this book/guide as well.

So, this is the part where I’m asking you for feedback: What subjects pertaining to suricata or NSM management in general would you want to see covered in such a work? Thank you in advance!

  • Tuning (e.g., optimizing packet drop rate)
  • Validating rules
  • Advanced jq and the eve.json log
  • Ruleset management using suricata-update and oinkmaster
  • Customizing existing rules
  • Threat Emulation
  • File extraction
  • Integration with Zeek
  • Using Suricata with Arkime
1 Like

I’ve been working on a project to automate our assessment of whether a particular rule would be a good fit for our environment. I’d appreciate discussion on using a signature’s “tells” (classtype, severity, etc.) to make such an assessment.

1 Like

A total side note, but I’d love to know more about this project. Is this something you’d be willing to discuss in more detail? I know some projects might not be publicly sharable, but sharing your approach to rule tuning based on your environment might be very valuable for other NIDS users.

1 Like

Thanks, @bmurphy. What I’ve been working on isn’t ready for prime-time yet, but the gist of it is that I’ve written a basic parser to turn rules into a structured format (JSON), so that I can slice and dice the ruleset in Python with greater granularity than the Suricata configuration files (disable/enable/modify) allow. I hope to post about it publicly when I’m ready.